The difference and connection between HTTP and HTTPS

The Hypertext Transfer Protocol HTTP protocol is used to pass information between a Web browser and a Web server, the HTTP protocol sends content in plaintext, does not provide data encryption in any way, and if an attacker intercepts a transmission message between a Web browser and a Web server, it can read the information directly, so HTTP protocol is not suitable for transmitting some sensitive information, such as credit card number, password and other payment information.

In order to solve this flaw of the HTTP protocol, we need to use another protocol: Secure Sockets Layer Hypertext Transfer Protocol HTTPS, in order to secure the data transmission, HTTPS on the basis of HTTP added SSL protocol, SSL relies on certificates to verify the identity of the server, and encrypt the communication between the browser and the server.

I. Basic concepts of HTTP and HTTPS

HTTP: Is the most widely used Internet protocol, is a client and server-side request and response Standard (TCP), used to transfer from the WWW server hypertext to the local browser of the transport protocol, it can make the browser more efficient, so that network transmission reduced.

HTTPS: is a security-targeted HTTP channel, simply speaking is the security version of HTTP, that is, HTTP under the SSL layer, HTTPS security base is SSL, so the details of encryption requires SSL.

The main role of HTTPS protocol can be divided into two kinds: one is to establish an information security channel to ensure the security of data transmission, the other is to confirm the authenticity of the website.

Second, what is the difference between HTTP and HTTPS?

The data transmitted by the HTTP protocol is unencrypted, which is plaintext, so it is very unsafe to transmit private information using the HTTP protocol, so that the privacy data can be encrypted for transmission, so Netscape Designs SSL (Secure Sockets Layer) protocol is used to encrypt the data transmitted by the HTTP protocol, resulting in the creation of HTTPS.

In simple terms, the HTTPS protocol is a network protocol built by the SSL+HTTP protocol for encrypted transmission and authentication, which is more secure than the HTTP protocol.

The main differences between HTTPS and HTTP are as follows:

1, the HTTPS protocol requires a certificate to the CA, generally less free certificate, and therefore a certain cost.

2, HTTP is a Hypertext Transfer Protocol, the information is plaintext transmission, HTTPS is a secure SSL encryption Transfer protocol.

3, HTTP and HTTPS use a completely different way of connection, with the same port, the former is 80, the latter is 443.

4, the HTTP connection is very simple, is stateless; The HTTPS protocol is a network protocol built by the SSL+HTTP protocol for encrypted transmission and authentication, which is more secure than the HTTP protocol.

Third, the working principle of HTTPS

We all know that HTTPS is capable of encrypting information so that sensitive information is not available to third parties, so many security-level services, such as bank websites or e-mail addresses, will use the HTTPS protocol.

1. Client initiates HTTPS request

This is nothing to say, is the user in the browser input an HTTPS URL, and then connect to the server port 443.

2, the service side of the configuration

The server with the HTTPS protocol must have a digital certificate, you can make it yourself, or you can apply to the organization, the difference is that the certificate issued by the client needs to be verified by clients to continue to access, and the use of trusted companies to apply for the certificate will not pop up the prompt page (Startssl is a good choice, There are 1 years of free service).

This set of certificates is actually a pair of public and private keys, if the public key and the private key is not understood, you can imagine a key and a lock, but the whole world only you have this key, you can give the lock to others, others can use this key to lock up the important things, and then send you, because only you have this key, So only you can see what is locked up by this lock.

3. Transfer Certificate

This certificate is actually the public key, but contains a lot of information, such as the certificate Authority, expiration time and so on.

4. Client Resolution Certificate

This part of the work is done with the client's TLS, first verify that the public key is valid, such as the authority, expiration time, and so on, if an exception is found, a warning box pops up, prompting for a problem with the certificate.

If there is no problem with the certificate, then a random value is generated and the random value is encrypted with the certificate, as stated above, locking the random value with a lock so that the locked content is not visible unless the key is there.

5. Transmitting encrypted information

This part transmits the random value that is encrypted with the certificate, the purpose is to let the server to get this random value, the client and the service side of the communication can be encrypted by this random value to decrypt.

6. Service Segment Decryption Information

After the server is decrypted with the private key, the client passes the random value (the private key), and then the content through the value of symmetric encryption, the so-called symmetric encryption is, the information and the private key through some kind of algorithm mixed together, so that unless the private key, otherwise can not get the content, and just the client and the server know this private So as long as the encryption algorithm is sturdy enough, the private key is complex enough to secure the data.

7, the transmission of information after encryption

This part of the information is the service segment with the private key encrypted after the information, can be restored on the client.

8. Client Decryption Information

The client uses the previously generated private key to decrypt the information sent by the service segment, and then obtains the decrypted content, the whole process even if the third party hears the data, also helpless.

Six, the advantages of HTTPS

It is because HTTPS is very safe, attackers can not find the place to start, from the webmaster's point of view, the advantages of HTTPS have the following 2 points:

1, SEO aspects

Google adjusted its search engine algorithm in August 2014, saying that "sites with HTTPS encryption will be ranked higher in search results than equivalent HTTP sites."

2. Security

Although HTTPS is not completely secure, the organization that holds the root certificate and the organizations that master the cryptographic algorithms can also attack in the form of an intermediary, but HTTPS is still the safest solution under the current architecture, with the following benefits:

(1), the use of HTTPS protocol can authenticate users and servers, to ensure that the data sent to the correct client and server;

(2), HTTPS protocol is built by the SSL+HTTP protocol can be encrypted transmission, identity authentication network protocol, than the HTTP protocol security, can prevent the data in the transmission process is not stolen, change, to ensure the integrity of the data.

(3), HTTPS is the most secure solution under the current architecture, although not completely secure, but it greatly increases the cost of man-in-the-middle attacks.

Vii. Disadvantages of HTTPS

Although HTTPS has a great advantage, but its relative, there are some shortcomings, specifically, there are the following 2 points:

1, SEO aspects

According to ACM CONEXT data, the use of the HTTPS protocol will increase the load time of the page by nearly 50%, increasing the power consumption by 10% to 20%, in addition, the HTTPS protocol will affect the cache, increase data overhead and consumption, and even the existing security measures will be affected also affected.

and the HTTPS protocol encryption range is also relatively limited, in the hacker attacks, denial of service attacks, server hijacking and so on almost no role.

The most critical, SSL certificate of the credit chain system is not secure, especially if some countries can control the CA root certificate in the case of a man-in-the-middle attack as feasible.

2. Economic aspects

(1), the SSL certificate needs money, the more powerful the higher the cost of the certificate, personal website, small site is not necessary generally not used.

(2), SSL certificate usually need to bind IP, not binding multiple domain names on the same IP, IPV4 resources cannot support this consumption (SSL has an extension can partially solve this problem, but it is more troublesome, and requires the browser, operating system support, Windows XP does not support this extension, This feature is almost useless considering the installed capacity of XP.

(3), HTTPS connection cache is not as efficient as HTTP, high-traffic sites if not necessary and will not be used, the traffic cost is too high.

(4), HTTPS connection server-side resource consumption is much higher, to support a small number of visitors to the site need to invest more cost, if the full use of HTTPS, based on the assumption that most computing resources idle the average cost of the VPS will go up.

(5), HTTPS protocol handshake phase is time-consuming, the corresponding speed of the site has a negative impact, such as unnecessary, there is no reason to sacrifice the user experience.

The difference and connection between HTTP and HTTPS